惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
The Register - Security
The Register - Security
Hugging Face - Blog
Hugging Face - Blog
博客园 - 聂微东
GbyAI
GbyAI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园_首页
D
Docker
S
Security @ Cisco Blogs
K
Kaspersky official blog
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
TaoSecurity Blog
TaoSecurity Blog
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Troy Hunt's Blog
Cloudbric
Cloudbric
博客园 - 三生石上(FineUI控件)
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
The Hacker News
The Hacker News
美团技术团队
S
SegmentFault 最新的问题
L
Lohrmann on Cybersecurity
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
宝玉的分享
宝玉的分享
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
M
MIT News - Artificial intelligence
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Martin Fowler
Martin Fowler
Google Online Security Blog
Google Online Security Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tor Project blog
Vercel News
Vercel News
The Cloudflare Blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
AI
AI
Stack Overflow Blog
Stack Overflow Blog
I
InfoQ
Scott Helme
Scott Helme
S
Schneier on Security
大猫的无限游戏
大猫的无限游戏
The GitHub Blog
The GitHub Blog
S
Securelist
IT之家
IT之家
Microsoft Azure Blog
Microsoft Azure Blog

Plugins on CoreDNS: DNS and Service Discovery

kubernetes log proxyproto rewrite forward clouddns errors grpc_server https https3 template auto geoip multisocket nomad dnstap import view ready etcd header loadbalance bind grpc file prometheus quic timeouts autopath dnssec root bufsize k8s_external reload acl cache health trace tsig route53 dns64 transfer secondary loop minimal sign azure local any cancel debug erratic metadata nsid pprof hosts chaos whoami
tls
2024-11-22 · via Plugins on CoreDNS: DNS and Service Discovery

Description

CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858) or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn’t encrypted at all (DNSSEC only signs resource records).

The tls “plugin” allows you to configure the cryptographic keys that are needed for both DNS-over-TLS and DNS-over-gRPC. If the tls plugin is omitted, then no encryption takes place.

The gRPC protobuffer is defined in pb/dns.proto. It defines the proto as a simple wrapper for the wire data of a DNS message.

Syntax

Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

tls CERT KEY [CA] {
    client_auth nocert|request|require|verify_if_given|require_and_verify
}

If client_auth option is specified, it controls the client authentication policy. The option value corresponds to the ClientAuthType values of the Go tls package: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively. The default is “nocert”. Note that it makes no sense to specify parameter CA unless this option is set to verify_if_given or require_and_verify.

Examples

Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the nameservers defined in /etc/resolv.conf to resolve the query. This proxy path uses plain old DNS.

tls://.:5553 {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}

Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for incoming queries.

grpc://. {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}

Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.

https://. {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}

Only Knot DNS’ kdig supports DNS-over-TLS queries, no command line client supports gRPC making debugging these transports harder than it should be.

See Also

RFC 7858 and https://grpc.io.